Review and action Security_Checklist to make sure you've gone through all of the steps (please note some steps are optional, but please review them all).

Change all passwords and if possible user names for the domains control panel, mysql, FTP, joomla Super Admin, and joomla Admin password; do change them often. Passwords should be at least 12 mixed alphanumeric characters and contain no common word phrases.

Use proper permissions on files and directories. They should never be 777[1], but ideal is 644 for files and 755 folders.

IF you have permissions to access SSH (secure shell) via putty/sftp you can chmod the files and directories. You can use the following commands from within the public_html (or similar) directory. For files use:

find -type f -exec chmod 644 {} \;

and for directories use:

find -type d -exec chmod 755 {} \;

Request to be put on another server with php as cgi and suphp and up-to-date serverside software (apache, php etc) on your existing host or find another server host if necessary.

To check the recent file changes on your system use these commands or via a cron job

find \public_html -ctime -1

or

find \public_html -mtime -1

Please note the location of your files may be public_html or httpdocs or similar.

To protect directories that seemed to need 777 permissions to run or as a default in your images/media folder try this code within a .htaccess file within the open folder.

Make sure that is in a htaccess file in a directory that will not run any scripts or remove the extensions as required

Do check with your hosting provider to see if they have purposely secured the server your site is on; and that they or you perform regular (weekly) security updates to keep the server up to date. Check you have jail shell. A rule of thumb is the less you pay, the less they care

A Safe route for disaster relief

save the configuration.php file and your images and personal files one by one, (not the folder as it may contain unwanted files)

wipe the entire folder where Joomla! is installed

upload a new clean full package latest version of joomla 1.5.x (minus the install folder)

reupload your configuration file & images, templates (even better is to use original clean copies to ensure that the hacker/defacer did not leave any shell script files in your site)

reupload or reinstall the latest versions of your extensions.

To do this will take your site off line for around 15 minutes. To track down your hacked/defaced html may take hours or even longer.

Malicious Code or Odd Links appearing on your site

Check that the original template file does or does not insert the unwanted code or that you downloaded a paid for template from a non trusted source eg file sharing sites

Gumblar doesn’t use any particular script vulnerability. This script is injected into every web page ( I would imagine though not confirmed, if infected page is edited then saved it will also be in database) on a site. Script changes every time it is accessed. It has been seen on phpBB, SMF and vBulletin forums, on WordPress 2.7.1 blogs, on proprietary PHP sites. The script starts with (function( and has no name and is obfusticated. A common Gumblar version breaks sites due to a bug in script.

iFrames

In recent iframe exploits the malicious code was only injected into files with most common filenames (e.g. index.html, index.php, etc.). Related Forum Sticky

Contributors & Editing

References

When your hosting provider runs PHP as an Apache Module it executes as the user/group of the webserver which is usually "nobody", "httpd" or "apache". Under this (ownership) mode, files or directories that you require your php scripts to be able to write do need 777 permissions (read/write/execute at user/group/world level) if the ownership of the files and directories are not Chown (Change Owner) to the User. Such a scenario is absolute unacceptable from a security perspective since '777' not only allows the webserver to write to the file; it also allows anyone else to read or write to the file. If your provider is not able to change this, one should strongly consider changing host!

Logs Make sure that in your control panel your raw access logs have been activated for review!

Raw Access Logs allow you to see who has accessed your site without the use of graphs, charts or other graphics. in cPanel for instance you can use the Raw Access Logs menu to download a zipped version of the server's access log for your site. This can be very useful when you need to see who is accessing your site quickly. Many people forget that this needs to be activated by the user of the account and is not automatically activated upon the creation of a hosting account in cPanel for instance!